ARTICLE
31 October 2024

Amendments To NYDFS' Cybersecurity Regulations Take Effect November 1

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
The New York Department of Financial Services has modified its cybersecurity requirements for regulated entities. These requirements are in addition to those included in the regulations as last updated in November of last...
United States Technology

The New York Department of Financial Services has modified its cybersecurity requirements for regulated entities. These requirements are in addition to those included in the regulations as last updated in November of last year. The new requirements go into effect November 1, 2024. They modify several parts of the rule, including:

  • CISOs reporting requirements: Under the current regulations, CISO must report on cybersecurity to the company's leadership. The revised regulations now require the report to include information about remediation plans. Separate from the annual report, the CISO will also need to report any material cybersecurity issues (like a breach) to senior officers.
  • New responsibilities for the senior governing body: As revised, the regulations emphasize that the regulated entities' senior governing body is responsible for overseeing cybersecurity risk management. This includes understanding cybersecurity-related concepts. Senior leadership's obligations also include reviewing management reports about cybersecurity matters. And confirming that the company has devoted enough resources to implement an effective cybersecurity program.
  • Encrypt all nonpublic information: The new amendments removed an exception for encrypting data that is in transit. Now, companies need to encrypt all nonpublic information being moved to external systems.
  • Update the incident response plan: As amended, the regulations call for different content in regulated entities' incident response plan. This includes processes for responding to a cybersecurity event and how to recover from systems backups. IRPs will also need to have provisions for conducting root cause analyses of incidents.
  • Business continuity and disaster recovery plan: As amended, the regulations clarify the requirements for disaster recovery plans. Among other things, the plans need to be in writing and identify all things necessary to continue operations during a cyber-related event. Provisions also need to be in place to train employees who implement both IRPs and the recovery plans.
  • New categories for exempted companies: As revised, businesses with fewer than twenty employees or less than $7,500,000 in annual revenue over the past three years are afforded certain exemptions. This increases the previous 10 employee and $5,000,000 exemption levels. Businesses with less than $15,000,000 (instead of $10,000,000) in year-end total assets are exempt as well.

Putting it into Practice: Modifying its cybersecurity regulations may become a November tradition for NYDFS. Companies covered by the regulation should keep in mind these new obligations, especially on reporting and internal plans, when reviewing their cybersecurity programs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More